Web Application Analysis

 

Exploiting, Injecting WordPress

Wordpress Blackbox testing

What is WPScan?

WPScan is wonderful and super fast wordpress vulnerability scanner written in ruby language, sponsored by RandomStorm and hosted by Googlecode. It provides you an easy way to penetrate wordpress blogs using blackbox techniques.

You can find the following stuff about any wordpress blog using this ruby application:

  • List of plugins
  • Name of theme
  • Bruce forcing Weak Password for specific user
  • Brute force username
  • Directory listings
  • Version details
  • Possible vulnerabilities.

How to Install WPScan?

Before you install WPScan, you have to install number of dependencies essential by this tiny ruby application. BTW i am using BackTrack5 Linux.

Dependencies :

apt-get install libcurl4-gnutls-dev
gem install --user-install mime-types
gem install --user-install xml-simple
gem install --user-install typhoeus

WPScan Installation :

cd /pentest/web/
wget http://wpscan.googlecode.com/files/wpscan-1.0.zip
unzip wpscan-1.0.zip
cd wpscan

How to use WPScan?

It is almost cooked. One more thing we need here; is to download keywords database which will be used for brute forcing.

wget http://static.hackersgarage.com/darkc0de.lst.gz
gunzip darkc0de.lst.gz

Example usage of this ant application :

Do ‘non-intrusive’ checks…
ruby ./wpscan.rb --url www.hackersgarage.com

Do wordlist password brute force on enumerated users using 50 threads…
ruby ./wpscan.rb --url www.hackersgarage.com --wordlist darkc0de.lst --threads 50

Do wordlist password brute force on the ‘admin’ username only…
ruby ./wpscan.rb --url www.hackersgarage.com --wordlist darkc0de.lst --username admin

Generate a new ‘most popular’ plugin list, up to 150 pages…
ruby ./wpscan.rb --generate_plugin_list 150

Enumerate instaled plugins…
ruby ./wpscan.rb --enumerate p

Still in trouble with configuration ? Ask in comments.

Netsparker-False-Positive-Free-Web-Application-Security-Scanner

Netsparker- False Positive Free Web Application Security Scanner

 

False-Positive Free

All web application security scanners report false-positives, which means they report vulnerabilities that don’t exist.

Netsparker will try lots of different things to confirm identified issues. If it can’t confirm it and if it requires manual inspection, it’ll inform you about a potential issue generally prefixed as [Possible], but if it’s confirmed, that’s it. It’s a vulnerability. You can trust it.

Netsparker confirms vulnerabilities by exploiting them in a safe manner. If a vulnerability is successfully exploited it can’t be a false-positive. Exploitation is carried out in a non-destructive way.

Technical Details

When Netsparker identifies an SQL Injection, it can identify how to exploit it automatically and extract the version information from the application. When the version is successfully extracted Netsparker will report the issue as confirmed so that you can make sure that the issue is not a false-positive.

Same applies to other vulnerabilities such as XSS (Cross-site Scripting) where Netsparker loads the injection in an actual browser and observes the execution of JavaScript to confirm that the injection will actually get executed in the browser.

Some of great features supported by Netsparker

  • JavaScript / AJAX / Web 2.0 Support
  • Detailed Issue Reporting
  • Automation
  • Logging
  • Reporting

XML
RTF / Word
PDF

  • Integrated Exploitation Engine

Exploitation of SQL Injection Vulnerabilities
Getting a reverse shell from SQL Injection vulnerabilities
Exploitation of LFI (Local File Inclusion) Vulnerabilities
Downloading source code of all crawled pages via LFI (Local File Inclusion)
Downloading known OS files via LFI (Local File Inclusion)
Post-Exploitation

  • Authentication

Basic Authentication
Form Authentication

  • Custom 404 Detection
  • Heuristic URL Rewrite Detection
  • List of Vulnerability Checks
  • List of issues Netsparker is looking for.
  • SQL Injection
  • XSS (Cross-site Scripting)
  • XSS (Cross-site Scripting) via Remote File Injection
  • XSS (Cross-site Scripting) in URLs
  • Local File Inclusions & Arbitrary File Reading
  • Remote File Inclusions
  • Remote Code Injection / Evaluation
  • OS Level Command Injection
  • CRLF / HTTP Header Injection / Response Splitting
  • Find Backup Files
  • Crossdomain.xml Analysis
  • Finds and Analyse Potential Issues in Robots.txt
  • Finds and Analyse Google Sitemap Files
  • Detect TRACE / TRACK Method Support
  • Detect ASP.NET Debugging
  • Netsparker identifies if ASP.NET Debugging is enabled.
  • Detect ASP.NET Trace
  • Netsparker detects if ASP.NET Tracing is enabled and accessible.
  • Checks for CVS, GIT and SVN Information and Source Code Disclosure Issues
  • Finds PHPInfo() pages and PHPInfo() disclosure in other pages
  • Finds Apache Server-Status and Apache Server-Info pages
  • Find Hidden Resources
  • Basic Authentication over HTTP
  • Source Code Disclosure
  • Auto Complete Enabled
  • ASP.NET ViewState Analysis
  • ViewState is not Signed
  • ViewState is not Encrypted
  • E-mail Address Disclosure
  • Internal IP Disclosure
  • Cookies are not marked as Secure
  • Cookies are not marked as HTTPOnly
  • Directory Listing
  • Stack Trace Disclosure
  • Version Disclosure
  • Access Denied Resources
  • Internal Path Disclosure
  • Programming Error Messages
  • Database Error Messages

For more detailed features screen shots & demo click here